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BACKGROUND OF THE INVENTION 
Fi.gl<;^ Qt the Inv^ntiQH 

The present invention relates to elliptic curve arithmetic 
operation techniques and elliptic curve application techniques. 
Descript ion of the Prior Art 

In recent years, the use of elliptic curves is becoming 
popular in the encrypted communications technology. 
Cryptosystems that employ elliptic curves rely for their security 
on the difficulty of solving a discrete logarithm problem. 

Representative examples of the discrete logarithm problem are 
problems based on finite fields and problems based on elliptic 



curves. Such problems are described in detail in Neal Koblitz, 
A Course in Number Theory and Cryptography, Springer-Verlag 
(1987) . 

(Elliptic Curve Discrete Logarithm Problem) 
5 The elliptic curve discrete logarithm problem is the 

following- 
Let E(GF(p)) be an elliptic curve defined over a finite field 
GF(p)f with a point G. on the elliptic curve E, given when the 
order of E is divisible by a large prime, being set as a base 
10 point. Here, "the order of the elliptic curve" means the number 

of points on the elliptic curve whose coordinates are in GF(p) . 
This being so, the problem is to find an integer x such that 

Y^xG 

where 3f is a given point on E, if such an integer x 
15 exists. 

Here, p is a prime and GF(p) contains p elements. 
(Conditions for Secure Elliptic Curves) 

Given that various cryptanalysis attacks against elliptic 
curve discrete logarithm problems have been devised over the 
20 years, it is of great importance to construct a secure elliptic 

curve to strengthen the elliptic curve cryptosystem against these 
attacks. 

In this specification, "constructing an elliptic curve" 
roughly means to determine the parameters a and b of an elliptic 
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curve which is given by an equation 

where the sign ^ represents a repeated multiplication, such 
as X *3=xxxxx. 

To be secure against all existing cryptanalysis attacks, an 
elliptic curve over the finite field GF(p) must satisfy the 
conditions : 

(a) the order of the elliptic curve is not equal to any of 
p-I, Pf and p+I; and 

(b) the order of the elliptic curve has a large prime 
factor. 

In other words, checking the order of the elliptic curve 
allows the security of the elliptic curve to be assessed. 

According to T. Okamoto & K. Ohta Encryption ^ Zero Knowledge 
Proof r and Number Theory, Kyoritsu (1995), pp.l55~156, when the 
above conditions are satisfied, computation time required to 
solve the elliptic curve discrete logarithm problem is 
exponential time in the largest prime factor of the elliptic 
curve order. 

(Methods of Constructing Elliptic Curves) 

There are mainly two elliptic curve construction methods that 

are: 

® elliptic curve construction using the CM (Complex 
Multiplication) method; and 



(D elliptic curve construction using an order computation 
algorithm. 

Although ® can construct an elliptic curve easily, it cannot 
choose an elliptic curve at random. For details of this method, 
see A. Miyaji "On Ordinary Elliptic Curve Cryptosystems" 
ASIACRYPT'91, Springer-Verlag (1991), pp.460~469. Meanwhile, ® 
can construct a random elliptic curve, though it takes 
considerable time to do so. 

(Prior Art Example 1: Elliptic Curve Construction using an Order 
Computation Algorithm) 

The following introduces the method of constructing an 
elliptic curve using an algorithm to compute the order of the 
elliptic curve, with reference to Fig. 1. For details on this 
method, see N. Koblitz "Elliptic Curve Implementation of Zero- 
Knowledge Blobs" cJ. Cryptology, vol.4, no. 3 (1991), pp.207~ 
213. 

First, a random number is generated (S901) , and parameters 
which define the elliptic curve are generated using the random 
number (S902) . Next, the order of the elliptic curve is computed 
using the generated parameters (S903) . The computed order is 
checked whether it satisfies one or more predetermined conditions 
for secure elliptic curves, to assess the security of the 
elliptic curve (S904) . If and only if the order satisfies the 
conditions, the generated elliptic curve parameters are 



outputted. If the order does not satisfy the conditions, the 
procedure returns to step S901 to repeat the random number 
generation, the parameter generation, the order computation, and 
the security judgement, until an elliptic curve whose order 
satisfies the conditions in step S904 is found. 

This method which employs an order computation algorithm 
requires long computation time. Especially, it takes much time 
to compute the order of the elliptic curve. 

One example of algorithms used to compute orders of elliptic 
curves is an algorithm proposed by Schoof . This algorithm is a 
polynomial time algorithm. The polynomial time algorithm 
referred to here is an algorithm whose computation time is 
polynomial time. The computation time of Schoof 's algorithm per 
se is not practical. 

(Prior Art Example 2: Elliptic Curve Order Computation according 
to the SEA Algorithm) 

Atkin and Elkies have proposed several improvements of 
Schoof 's algorithm and so have designed the SEA (Schoof-Elkies- 
Atkin) algorithm. 

This algorithm is detailed in R. Lercier & F. Morain 
"Counting the Number of Points on Elliptic Curves over Finite 
Fields: Strategies and Performances" EUROCRYPT' 95, Springer- 
Verlag (1995), pp.79~94. 

The SEA algorithm computes t mod L *n (n^^l, 2, 3, ...) . This 



can be done by calculating an eigenvalue of a map called the 
Frobenius map. More specifically, k is found from an equation 

where (ct^0) is an X-division point on an elliptic curve E and 
k(afp) is a point on JS after exponentiating the point (a^/S) by k. 
This is carried out through computation on the elliptic curve E 
on a residue class ring of polynomials in variable a and P with 
elements of GF(p) as coefficients, the moduli of the ring being 
polynomials J3 2-f (a) and h (a) . Computational complexity of the 
inversion of a polynomial is greater than computational 
complexity of the multiplication of a polynomial, so that a 3- 
tuple coordinate is used in this computation. Here, projective 
coordinate is employed as the 3-tuple coordinate, as the 
projective coordinate has been conventionally used for elliptic 
curves over finite fields. Conventional projective coordinate is 
described in Miyaji, Ono & Cohen "Efficient Elliptic Curve 
Exponentiation" Advances in Cryptology-Proceedings of ICICS' 97 , 
Lecture Notes in Computer Science, Springer-Verlag (1997), 
pp.282-290. 

(Prior Art Example 3: Calculation of the Exponentiation Point 
k(arf3) on the Elliptic Curve E) 

Exponentiating the point (a^P) on the elliptic curve f; by A" 
is done by splitting the exponentiation into additions and 
doublings and performing the additions and the doublings in the 



following way. 

Suppose (ctrP) is transformed to (a: 0:1), and (a: 13:1) is 
interpreted as (K (a) : (a) : Z (a) ) (where X(a)=a and Y (a) =^Z (a) ==1 
) . 

Note here that , and " ; : represent affine 

coordinates and projective coordinates, respectively. 
Assume 

P1=(X1 (a) tP^Yl (a) :Z1 (a)) 

P2=(X2(a) :p^Y2(a) :Z2(a)) 

P3^P1+P2= (X3 (a) :/3^Y3 (a) : Z3 (a) ) 
In this specification, the operators ^ and^ in an addition 
formula or a doubling formula both denote a multiplication. In 
the addition formula or the doubling formula, a multiplication 
which appears for the first time in the formula is expressed by 
the operator whereas a multiplication which has already 

appeared is expressed by the operator x. The number of 
multiplications in the addition or doubling formula can be 
obtained by counting the number of operators in the formula. 
(1) Addition Formula 

When Pl9^±P2, addition is required, the formula of which is 

X3=v^A 

Y3=u*(v ^2xXlxZ2'-A) -v ^3*(Yl>cZ2) 
Z3=v ^3*(ZlxZ2) 

where 



u==Y2*Zl-Yl *Z2 
v^X2*Zl-Xl *Z2 

A=u 2y^f(a) >^Zl^Z2-v 3-2^v ^2xXlxZ2 
^ ( (u ^u) *f (a) ) * (Zl *Z2) - (^r*v) *v-2 ^2* (XI xZ2) 

and 

f(x)=K ' S-hax+b 

It is to be noted that, although XI, Yl, Zl, X2, Y2, Z2, X3, 
Y3, Z3, u, V, and A are polynomials in the variable a and 
therefore should be written like XI (a) , Yl(a) , and Zl (a) to be 
precise, (a) has been omitted here for convenience in writing. 
(2) Doubling Formula 

When P1^P2, doubling is required, the formula of which is 
X3-=2xh*(sxf (a) ) 

Y3=-wx (4xB-h) -8xYl ^2^3 *2xf(a) ^2 

^w* (4 xB-h) -fi X (Yl xs xf (a) ) * (Yl xs xf (a) ) 

Z3--8XS 3xf(a) *2 

^8xs*(3xf (a) ) *(sxf (a)) 

where 

w=-axZl ^2-h3xXl ^2 

=a X (Zl *Z1) +5x (XI *X1) 
s=Yl *Z1 

B=Xl*(Yl*(s *f(a))) 
h=w 2-8xB 
^w*w-8xB 
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and 

f(x)^x " 3+aK+b 

As with the addition formula, though XI, Yl, Zl, X3, Y3, Z3, 
Wf Sf B, and h are polynomials in the variable a, (a) is omitted 
5 for convenience in writing. 

The number of multiplications is 15 in the addition formula 
and 12 in the doubling formula, as can be seen from the number of 
operators * in each of the formulas. When computational 
complexity of a polynomial multiplication is measured as l^PMul, 

10 the computational complexity of the addition is 15><PMul and the 

computational complexity of the doubling is 12^PMul. 

In counting the number of multiplications, computational 
complexity of multiplying a constant and a polynomial, such as 
ax(Zl ^2) or 3x(Xl 2), is smaller than computational complexity 

15 of multiplying a polynomial and a polynomial, so that such a 

multiplication is ignored in the counting. Likewise, a 
multiplication which has once appeared does not have to be 
calculated again because the previous multiplication result can 
be used,, so that such a multiplication is ignored in the 

20 counting. 

(Prior Art Example 4: Elliptic Curve Construction based on the 
SEA Algorithm) 

A method of constructing elliptic curves using the SEA 
algorithm is proposed in pp. 379~392 in R. Lercier "Finding Good 
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Random Elliptic Curves for Cryptosystems Defined over F{2 n) " 
Advances in Cryptology- Proceedings of EUROCRYPT' 97 , Lecture Notes 
in Computer Science^ 1233, Springer-Verlag (1997) (hereinafter 
referred to as "document 1"). In this method the predetermined 
conditions used in the elliptic curve construction of prior art 
example 1 are defined as "the order of the elliptic curve is a 
prime" . 

Lercier's elliptic curve construction method which employs 
the SEA algorithm is described below with reference to Figs. 2 
and 3. 

Let p be a prime which is an input value. Also, let E be an 
elliptic curve over a finite field GF(p) and E' be the quadratic 
twist of E. Then there is the relationship that, if the order of 
E is p+l-t, the order of is p-hl-ht. 

First, an element u of the finite field GF(p) is chosen at 
random (S931) , and parameters of the elliptic curve E are 
determined based on the element u (3932) . Then, flags flagiell 
and flag#twist are both set at an initial value I (S933) . 

Next, the order of E and the order of E' are calculated 
according to the SEA algorithm (S934) . 

If the order of E is divisible by L (3935), flagiell is 
changed to 0 (S936) , whereas if the order of is divisible by 
L (3937), flagitwist is changed to 0 (3938). When flagiell^O and 
flag#twist=0 (3940), the procedure returns to step 3931. 
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otherwise, the procedure proceeds to step S941. 

When flag#ell=l (S941) , it is judged whether the order of E 
is prime (S942) • If the order of E is prime, the procedure 
proceeds to step S945, If the order of E is not prime, it is 
judged whether flag#twist--l (S943) . When flag#twist^l , the 
procedure returns to step S931. When flagitwist'^^l, it is judged 
whether the order of £' is prime (S944) . If the order of E' is 
not prime, the procedure returns to step S931. If the order of 
E' is prime, the procedure proceeds to step S945- 

It is judged in step S945 whether the order of E is equal to 
p. If the order is equal to p, the procedure returns to step 
S931. If the order is not equal to p, the parameters of the 
elliptic curve E are outputted (S94 6) . 

In Lercier's elliptic curve construction, step S933 is used 
to accelerate computation, thereby reducing computation time 
needed for the SEA algorithm. Nevertheless, since in step S932 
the parameters of the elliptic curve E are determined without 
consideration given to the possibility that the order of the 
elliptic curve E is not prime, the order computation according to 
the SEA algorithm in step S934 may have to be repeated again and 
again. This causes an increase in overall computational 
complexity. 

Thus, despite the fact that Schoof's order computation 
algorithm in elliptic curve construction has been modified as the 
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SEA algorithm and improvements to reduce computational complexity 
of the SEA algorithm have been proposed by Lercier, there still 
remains the demand to further reduce computational complexity for 
elliptic curves. 



5 SUMMARY OF THE INVENTION 

The first object of the invention is to provide an elliptic 
curve arithmetic operation device that can compute points on an 
elliptic curve with small computational complexity. 

The second object of the invention is to provide an elliptic 
10 curve order computation device that can compute an order of an 

elliptic curve with small computational complexity. 

The third object of the invention is to provide an elliptic 
curve construction device that can construct a highly secure 
elliptic curve with small computational complexity. 
15 The fourth object of the invention is to provide an elliptic 

curve application device that uses a highly secure elliptic curve 
constructed with small computational complexity. 

The first object can be fulfilled by an elliptic curve 
arithmetic operation device for performing one of an addition and 
20 a doubling on an elliptic curve E: y ^2=f (x) on a residue class 

ring of polynomials in two variables a and >0, moduli of the 
residue class ring being polynomials /? *2-f (a) and h (a) , where 
•y) L ! cf^^^^^'*'^ f (ot) =a ^ 3-haa-i-hf a and b are constants, and h(a) is a polynomial 
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in the variable the elliptic curve arithmetic operation device 
including: an acquiring unit for acquiring affine coordinates of 
at least one point on the elliptic curve E and operation 
information indicating one of the addition and the doubling, from 
an external source; a transforming unit for performing a 
coordinate transformation on the acquired affine coordinates to 
generate Jacobian coordinates, the coordinate transformation 
being transforming affine coordinates (<p (a) , (5><(f> (a) ) of a given 
point on the elliptic curve E using polynomials 

Y{a)^f(a) ^2x<p(a) 
Z (a) =1 

into Jacobian coordinates (X (a) :Y (a) : P^Z (a) ) , (p(a) and (p(a) 
being polynomials; and an operating unit for performing one of 
the addition and the doubling indicated by the acquired operation 
information, on the generated Jacobian coordinates to obtain 
Jacobian coordinates of a point on the elliptic curve E. 

Here, the acquiring unit may in a first case acquire affine 
coordinates of two different points on the elliptic curve E and 
operation information indicating the addition and in a second 
case acquire affine coordinates of a single point on the elliptic 
curve E and operation information indicating the doubling, 
wherein the transforming unit in the first case performs the 
coordinate transformation on the acquired affine coordinates of 
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the two different points to generate Jacobian coordinates of the 
two different points and in the second case performs the 
coordinate transformation on the acquired affine coordinates of 
the single point to generate Jacobian coordinates of the single 
point, and the operating unit in the first case performs the 
addition indicated by the acquired operation information on the 
generated Jacobian coordinates of the two different points to 
obtain the Jacobian coordinates of the point on the elliptic 
curve E and in the second case performs the doubling indicated by 
the acquired operation information on the generated Jacobian 
coordinates of the single point to obtain the Jacobian 
coordinates of the point on the elliptic curve E. 

Here, the acquiring unit may in the first case acquire affine 
coordinates 

(XI (a) ,0xYl(a)) 

(X2(a) ,j3xY2(a)) 

of the two different points on the elliptic curve E and the 
operation information indicating the addition and in the second 
case acquire affine coordinates 
(XI (a) ,0xYi (a)) 

of the single point on the elliptic curve E and the operation 
information indicating the doubling, wherein the transforming 
unit in the first case performs the coordinate transformation on 
the acquired affine coordinates of the two different points to 
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generate Jacobian coordinates 
(XI (a) : Yl (a) :0^Z1 (a) ) 
(X2 (a) : Y2 (a) :0xz2 (a) ) 
of the two different points and in the second case performs 
the coordinate transformation on the acquired affine coordinates 
of the single point to generate Jacobian coordinates 
(XI (a) : Yl (a) :0xZl (a) ) 
of the single point, and the operating unit in the first case 
computes 

Ul (a) =X1 (a) xZ2 (a) '2 
132 (a) =X2 (a) xZl (a) ~2 

51 (a) -'Yl (a) >(Z2 (a) '3 

52 (a) =Y2 (a) ^Zl (a) '3 
H(a)=U2(a)-Ul(a) 

r (a) =S2 (a) -SI (a) 
and computes 

X3(a)=-H(a) ~3-2xUl(a) ^H(a) ' 2+r (a) '2 
Y3 (a) =-Sl (a) xH (a) "3+r (a) x (Ul (a) xH (a) '2-X3 (a) ) 
Z3 (a) =Z1 (a) >^Z2 (a) xH (a) 
to obtain Jacobian coordinates (X3 (a) :Y3 (a) : 0xZ3 (a) ) of the 
point on the elliptic curve E, and in the second case computes 
S (a) =4 xxi (a) X Yl (a) ' 2 
M(a)^3xxi (a) ~2+axZl(a) '4xf(a} ~2 
T(a)=-2xs (a)+M(a) '2 
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and computes 
X3 (a) (a) 

Y3(a)^'8^Yl (a) ^ 4+M(a) ^ (S (a) -T (a) ) 
Z3 (a) =^2xYi (a) ^Zl (a) 

to obtain the Jacobian coordinates (X3 (a) : Y3 (a) : JS^ZS (a) ) of 
the point on the elliptic curve E. 

With the above construction, computational complexity for 
polynomial multiplications in the addition increases by l^PMul 
and computational complexity for polynomial multiplications in 
the doubling decreases by 2>^PMulf when compared with the prior 
art. Given that generally the doubling is more frequently 
repeated than the addition^ the decrease in computational 
complexity of the doubling greatly contributes to a reduction in 
overall computational complexity in the elliptic curve arithmetic 
operation device. 

The second object can be fulfilled by an elliptic curve order 
computation device for computing an order of an elliptic curve 
according to a Schoof-Elkies-Atkin algorithm, the elliptic curve 
order computation device including the above elliptic curve 
arithmetic operation device. 

With this construction, computational complexity for 
polynomial multiplications in the addition increases by l^PMul 
and computational complexity for polynomial multiplications in 
the doubling decreases by 2xPMul, when compared with the prior 
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art. Given that generally the doubling is more frequently 
repeated than the addition, the decrease in computational 
complexity of the doubling greatly contributes to a reduction in 
overall computational complexity in the elliptic curve order 
computation device. 

The third object can be fulfilled by an elliptic curve 
construction device for determining parameters of an elliptic 
curve E which is defined over a finite field GF(p) and offers a 
high level of security, p being a prime, the elliptic curve 
construction device including: a random number generating unit 
for generating a random number; a parameter generating unit for 
selecting the parameters of the elliptic curve E using the 
generated random number, in such a manner that a probability of 
a discriminant of the elliptic curve E having any square factor 
is lower than a predetermined threshold value; a finitude judging 
unit for judging whether the elliptic curve E defined by the 
selected parameters has any point whose order is finite on a 
rational number field; an order computing unit for computing an 
order m of the elliptic curve E when the finitude judging unit 
judges that the elliptic curve E does not have any point whose 
order is finite on the rational number field; a security judging 
unit for judging whether a condition that the computed order m is 
a prime not equal to the prime p is satisfied; a repeat 
controlling unit for controlling the random number generating 
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unit, the parameter generating unit, the finitude judging unit, 
the order computing unit, and the security judging unit 
respectively to repeat random number generation, parameter 
selection, finitude judgement, order computation, and security 
judgement until the condition is satisfied; and a parameter 
outputting unit for outputting the selected parameters when the 
condition is satisfied. 

With this construction, the parameter generating unit is 
likely to select a secure elliptic curve beforehand, so that the 
processes of selecting an elliptic curve and testing its security 
do not have to be repeated over and over again. As a result, 
overall computational complexity in the elliptic curve 
construction device is reduced. 

Also, the finitude judging unit assesses the security of the 
elliptic curve by judging whether the elliptic curve has a point 
with a finite order, before the order of the elliptic curve is 
computed. If the elliptic curve is judged as not being secure, 
the elliptic curve is rejected without the order thereof being 
computed. Accordingly, unnecessary calculation of the order is 
avoided and the overall computational complexity in the elliptic 
curve construction device is reduced. 

Here, the elliptic curve E may be expressed as y 2=x 3+ax-i-b 
where parameters a and h are constants, wherein the parameter 
generating unit selects -3 and the random number respectively as 
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the parameters a and h so that the probability of the 
discriminant of the elliptic curve E having any square factor is 
lower than the predetermined threshold value. 

With this construction, the parameter generating unit selects 
the elliptic curve E: y ^2^x ^J-Jx-hb which is highly secure 
beforehand, so that thf» processes of selecting an elliptic curve 
and testing its security do not have to be repeated over and over 
again. Accordingly, the overall computational complexity in the 
elliptic curve construction device is reduced. 

Here, the finitude judging unit may, given two primes pi and 
p2 beforehand where pl^p2, interpret the elliptic curve E as an 
elliptic curve EQ on the rational number field, compute orders ml 
and m2 of respective elliptic curves Epl and Ep2 which are 
produced by reducing the elliptic curve EQ modulo pi and p2, 
judge whether the orders ml and m2 are relatively prime, and, if 
the orders ml and m2 are relatively prime, judge that the 
elliptic curve E does not have any point whose order is finite on 
the rational number field. 

With this construction, the finitude judging unit assesses 
the security of the elliptic curve by judging whether the orders 
ml and m2 of the elliptic curves Epl and Ep2 produced by reducing 
the elliptic curve EQ modulo pi and p2 are relatively prime, 
before the order of the elliptic curve is computed. If the 
elliptic curve is judged as not being secure, the elliptic curve 
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is rejected without the order thereof being computed. As a 
result, unnecessary calculation of the order is avoided and the 
overall computational complexity in the elliptic curve 
construction device is reduced. 

Here, the finitude judging unit may, given the primes pl-5 
and p2=7 beforehand, compute the orders ml and m2 of the 
respective elliptic curves Epl and Ep2 produced by reducing the 
elliptic curve EQ modulo pl=5 and p2=7. 

With this construction, the finitude judging unit judges 
whether the orders ml and m2 of the elliptic curve Epl and Ep2 
after reducing the elliptic curve EQ modulo pl=5 and p2^7 are 
relatively prime. Performing the finitude judgement process in 
such a manner requires only the smallest computational 
complexity. 

Here, the order computing unit may compute the order in of the 
elliptic curve E according to a Schoof-Elkies-Atkin algorithm and 
include an elliptic curve arithmetic operating unit for 
performing one of an addition and a doubling on the elliptic 
curve E: y ^ 2='f (x) on a residue class ring of polynomials in 
variables a and /?, moduli of the residue class ring being 
polynomials P 2-f(a) and h(a), where f (a) =a ^ 3-haa-hb and h(a) is 
a polynomial in the variable a, wherein the elliptic curve 
arithmetic operating unit includes the above elliptic curve 
arithmetic operation device. 
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With this construction^ computational complexity for 
polynomial multiplications in the addition increases by l^PMul 
and computational complexity for polynomial multiplications in 
the doubling decreases by 2xPMul, when compared with the prior 
art. Given that normally the doubling is more frequently 
repeated than the addition, the decrease in computational 
complexity of the doubling greatly contributes to a reduction in 
overall computational complexity in the elliptic curve 
construction device . 

The fourth object can be fulfilled by an elliptic curve 
application device that uses elliptic curves, the elliptic curve 
application device including an elliptic curve constructing unit 
for determining parameters of an elliptic curve E which is 
defined over a finite field GF(p) and offers a high level of 
security, p being a prime, wherein the elliptic curve 
constructing unit includes the above elliptic curve construction 
device. 

With this construction, the elliptic curve application device 
delivers the same effects as the above elliptic curve 
construction device* Such an elliptic curve application device 
can achieve highly secure, fast encryption or digital signature 
and so has great practical applicability. 

BRIEF DESCRIPTION OF THE DRAWINGS 
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These and other objects, advantages and features of the 
invention will become apparent from the following description 
thereof taken in conjunction with the accompanying drawings that 
illustrate a specific embodiment of the invention. In the 
drawings: 

Fig. 1 is a flowchart showing a conventionaJ elliptic curve 
construction method; 

Fig, 2 is a flowchart showing Lercier's elliptic curve 
construction method as another prior art example; 

Fig. 3 is a flowchart that follows the flowchart of Fig. 

2; 

Fig. 4 is a block diagram showing the configuration of an 
elliptic curve construction device 500 according to an embodiment 
of the present invention; 

Fig. 5 is a block diagram showing the concrete configuration 
of the elliptic curve construction device 500; 

Fig. 6 shows an example of data stored in an information 
storing unit 507 in the elliptic curve construction device 500; 

Fig. 7 is a flowchart showing the procedure of constructing 
an elliptic curve by the elliptic curve construction device 
500; 

Fig. 8 is a flowchart showing the procedure of computing the 
order of the elliptic curve by an elliptic curve order computing 
unit 504 in the elliptic curve construction device 500; 
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Fig. 9 is a flowchart showing the procedure of computing t 
mod L by the elliptic curve order computing unit 504; and 

Fig. 10 is a flowchart showing the procedure of performing 
addition or doubling on points on the elliptic curve by the 
5 elliptic curve order computing unit 504. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

The following is a description of an elliptic curve 
construction device 500 according to an embodiment of the 
invention. 

10 (1. Configuration of the elliptic Curve Construction Device 

500) 

The elliptic curve construction device 500, when given a 
prime p, outputs parameters of an elliptic curve that is defined 
over a finite field GF(p) and that has a prime order not equal to 
15 p. Such a constructed elliptic curve exhibits a high degree of 

security. 

The elliptic curve construction device 500 is roughly made 
up of a random number generating unit 501, an elliptic curve 
setting unit 502, an elliptic curve finitude judging unit 503, an 
20 elliptic curve order computing unit 504, an elliptic curve 

condition judging unit 505, a controlling unit 506, an 
information storing unit 507, an inputting unit 508, an 
outputting unit 509, and a parameter storing unit 510, as shown 
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in Fig. 4. This elliptic curve construction device 500 is 
implemented by a microprocessor 11, a ROM (read only memory) 12, 
a RAM (random access memory) 13, a hard disk 14 storing a 
computer program, a keyboard 15, a display 16, and the like, as 
shown in Fig. 5. The functions of the random number generating 
unit 501, elliptic curve setting unit 502, elliptic curve 
finitude judging unit 503, elliptic curve order computing unit 
504, elliptic curve condition judging unit 505, controlling unit 
506, inputting unit 508, and outputting unit 509 are realized by 
way of executing the computer program in the hard disk 14 with 
the microprocessor 11. 
(1.1. Inputting unit 508) 

The inputting unit 508 is implemented by the keyboard 15 or 
the like. The inputting unit 508 receives from the user an 
instruction to construct an elliptic curve and an input of a 
prime p (p^2) . In this embodiment the prime p is 160 bits 
long. 

The inputting unit 508 passes the received instruction and 
prime p to the controlling unit 506. 
(1.2. Information Storing Unit 507) 

The information storing unit 507 is provided with areas for 
respectively storing the prime p, a random number t, a parameter 
a, a parameter Jb, and a order m, as shown in Fig. 6. Each of the 
areas has a 160-bit capacity. The information storing unit 507 
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is implemented by the RAM 13. 

Among these, the parameters a and jb are coefficients in an 
equation y *2=x ^ 3+ax+h that represents an elliptic curve E 
defined over the finite field GF(p) . 
(1.3. Random Number Generating Unit 501) 

The random number generating unit 501 receives an instruction 
to generate a random number from the controlling unit 506. 

On being instructed, the random number generating unit 501 
generates the 160-bit random number t and writes the random 
number t into the information storing unit 507. 
(1.4. Elliptic Curve Setting Unit 502) 

(1) Function and Configuration of the Elliptic Curve Setting Unit 
502 

The elliptic curve setting unit 502 reads the random number 
t from the information storing unit 507. The elliptic curve 
setting unit 502 then sets the parameters a and h of the elliptic 
curve E: y ^ S-hax-t-h such that a=-3 and h=t, thereby defining 

the elliptic curve E as y ^ 2^x " 3-3x-ht. 

The elliptic curve setting unit 502 writes the set parameters 
a and h into the information storing unit 507. 

(2) Rationale for Defining the Elliptic Curve £ as y *2=x 
3-3x+t 

The elliptic curve E: y * 2=x ^3-3x*/-t bears a high probability 
of having a prime order, so that the elliptic curve \e; defined by 
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the elliptic curve setting unit 502 is likely to be a secure 
elliptic curve. 

The reason why the elliptic curve E: y ^ 2=x ^3-3x-ht bears a 
high probability of having a prime order is presented below. 
For a curve £ on a rational number field expressed by ' 

E: y ^ 2=x ^ B-hax-th (where a and b are integers) 
a discriminant TD is defined as 

This being so, when the discriminant TD is not 0, it means 
E is an elliptic curve. This is described in J. H. Silverman 
"The Arithmetic of Elliptic Curves" GTM106, Springer-Verlag 
(1986) (hereinafter referred to as "document 2"), p. 50. 

In the description that follows, it is assumed that the 
discriminant TD is not 0, i.e. E Ls an elliptic curve. 

The following theorem is presented in p. 221 in document 2. 

[Theorem 1] When a point having a finite order exists on the 
elliptic curve E, its coordinates (x^y) are integers and the 
discriminant TD is divisible by y ^2. 

According to Theorem 1, when the discriminant TD is not 
divisible by y ^2 at a point P=fx,y; on the elliptic curve E, it 
implies that the point P does not have a finite order. That is 
to say, when the discriminant TD has no square factor and a point 
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(x^y) with a finite order exists on the elliptic curve E, y=l 
holds. Therefore, if there is no solution for l=x ^ S-fax-hb mod p, 
then there is no point with a finite order on the elliptic curve 
E. Theorem 1 leads to the following fact. 

[Fact 1] When the probability of the discriminant TD having a 
square factor is low, the probability of the elliptic curve E 
containing a point with a finite order is low. 

Let the parameters a and h of the elliptic curve E be 
elements of GF(p), the coordinates of some point on the elliptic 
curve E be elements of GF(p) , and Ep be an elliptic curve 
obtained as a result. This process is called "reducing modulo 
p" . Reducing the point P==(x^y) with a finite order r on the 
elliptic curve E modulo p yields a point Pp=(x mod p, y mod p) on 
the elliptic curve Ep. Such a point Pp has an order no less than 
r, without being transformed to the zero point O of the elliptic 
curve Ep. 

Based on group theory, the following proposition is 
established. 

[Proposition 1] If the order of the point Pp on the elliptic 
curve Ep is r, then the order of the elliptic curve Ep is 
divisible by r. 
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Let m be the order of the elliptic curve Ep and suppose there 
is a point of the finite order r on the elliptic curve E on the 
rational number field. When r is smaller than m, then m is 
divisible by r. Therefore, the order of Ep is not prime. 
Conversely, this leads to Fact 2. 

[Fact 2] The elliptic curve Ep obtained by reducing modulo p the 
elliptic curve E which does not have a point of finite order on 
a rational number field bears a high probability of having a 
prime order. 

Combining Fact 1 and Fact 2 yields the following fact. 

[Fact 3] If the chance that the discriminant TD of the elliptic 
curve E has a square factor is small, then the chance that the 
elliptic curve Ep obtained by reducing E modulo p has a prime 
order is high. 

In the following, elliptic curves 

El: y 3-h3ux'h2u 

E2: y ^ 2-=x ''3-3x-ht (where t>0) 
are tested with the discriminant TD. When the discriminants 
TD of El and E2 are respectively denoted by TD(El) and TD(E2), 

TD(E1)=2 ^2x3 *3xu ^2x(u'hl) 
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TD(E2)=-3 3x(t 2-4) 
As square factors of TD(El), there are at least 2, 3, 6, u, 
and 2^3^u. As square factors of TD(E2), the following proof 
shows that t *2-4 is not a square number, 

[Proof] Let t be an integer not equal to 0. Since t^^O, t>l. 
This is because t *2-4=-3 when t=l. 

Here/ suppose t ^2-4 is a square number, i.e. t ^2-4^11 2 for 
any positive integer n>0. 

Then (t-n) (t+n) =4 . The divisors of 4 are 1, 2, and 4, so 
that, given t-Ji<'t+n, the combinations of t-n and t+n are (t- 
n,t+n) = (lf4) , (2f2), (4^1). In any of these combinations, t and 
n are not integers. 

Thus, since t ^2-4 is not a square number, the probability of 
TD(E2) having a square factor is low. Accordingly, TD(E2) is 
less likely to have a square factor than TD(El). Let Elp and E2p 
be elliptic curves produced by respectively reducing the elliptic 
curves El and E2 modulo p. From Fact 3 it is clear that the 
elliptic curve E2p has a higher probability of having a prime 
order than the elliptic curve Elp. 

It is thus apparent that the chance of the elliptic curve E2p 
having a prime order is high. 

For the above reason, the elliptic curve setting unit 502 



29 



sets the parameters a and Jb in such a manner that the probability 
of the discriminant TD of the elliptic curve E having a square 
factor is lower than a predetermined threshold value. 

Since the elliptic curve setting unit 502 is likely to choose 
a highly secure elliptic curve in advance in such a way, the 
elliptic curve construction device 500 does not have to repeat 
the processes of choosing an elliptic curve and testing its 
security over and over again, with it being possible to reduce 
the overall computational complexity required of the elliptic 
curve construction device 500. 

(1.5. Elliptic Curve Finitude Judging Unit 503) 

(1) Function and Configuration of the Elliptic Curve Finitude 
Judging Unit 503 

The elliptic curve finitude judging unit 503 reads the 
parameters a and b of the elliptic curve E defined over the 
finite field GF(p), from the information storing unit 507. 

The elliptic curve finitude judging unit 503 interprets the 
read parameters a and b as integers, and the elliptic curve E as 
an elliptic curve on a rational number field. 

The elliptic curve finitude judging unit 503 chooses primes 
pi and p2 that are smaller than the prime p, where plf^p2. 
Examples are pl=5 and p2=7 . Next, the elliptic curve finitude 
judging unit 503 reduces the elliptic curve E on the rational 
number field respectively modulo pi and p2 into the elliptic 
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curves Epl and Ep2, and computes the orders ml and m2 of the 
respective elliptic curves Epl and Ep2. When the elliptic curve 
E is given by the equation y 2=x J-hax-hb, then the orders ml and 
m2 are computed as follows: 

[Formula 1] 



Here, (c/p) denotes the quadratic residue signal, wherein 
(c/p)=-i-l if c is a quadratic residue modulo p, (c/p)=-l if c is 
a quadratic nonresidue modulo p, and (c/p)=0 if c=0, 

A brief explanation on Formula 1 is given below. 

For a value n (0 — pl-1) , two points are present on the 
elliptic curve E when n ^ 3-i-a ^n+b is a square number not equal to 
Or one point is present on the elliptic curve E when n 
3-ha ^n-hb^^O, and no point is present on the elliptic curve E when 
n 'S+a^n-fb is not a square number. On the elliptic curve E: 
y ^2=x 3-hax-hbr the number of points whose x coordinate is n 
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(0~pl-l) is expressed as 



[Formula 2] 



n 3+a^n+b 



pl 



Hence the total number of points on the elliptic curve E for 
pl values from 0 to pl-1 can be written as 

[Formula 3] 



thereby establishing order computation Formula 1. Note here 
that "1" appearing first in Formula 3 denotes the number of zero 
points O. 

This order computation algorithm is described in pp.219~220 
in R. Schoof "Counting Points on Elliptic Curves over Finite 
Fields" Jornal de Theorie des Nombres de Bordeaux 7 (1995) 
(hereinafter referred to as "document 3") . 

Next, the elliptic curve finitude judging unit 503 checks 
whether the computed orders ml and m2 are relatively prime, and 
provides the controlling unit 506 with order judgement 
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information showing whether ml and m2 are relatively prime. 

It is to be noted that since pi and p2 are small primes, 
computational complexity of calculating the orders due to the 
above order computation formula is within an acceptable range. 
(2) Reason for Judging Whether the Orders ml and m2 are 
Relatively Prime 

The following theorem holds for the elliptic curve E over the 
rational number field. The theorem is given in p. 176 in document 
2. 

[Theorem 3] Let Epl and Ep2 be elliptic curves obtained by 
reducing the elliptic curve E on the rational number field 
respectively modulo the primes pi and p2 (where pl^P2) , and ml 
and m2 be the orders of the respective elliptic curves Epl and 
Ep2\ When ml and m2 are relatively prime, then the elliptic 
curve E does not have a point whose order is finite. 

Thus, when the order ml of the elliptic curve Epl and the 
order m2 of the elliptic curve Ep2 are relatively prime, the 
elliptic curve E does not have a point with a finite order, so 
that according to Fact 2 there is a high probability that the 
order of the elliptic curve Ep is prime. In contrast, when ml 
and m2 are not relatively prime, the elliptic curve E has a point 
with a finite order, so that according to Fact 2 the probability 

33 



that the order of the elliptic curve Ep is prime is low. The 
level of security of such an elliptic curve E is not quite high. 
Accordingly, if the order ml of the elliptic curve Epl and the 
order m2 of the elliptic curve Ep2 are not relatively prime, the 
elliptic curve finitude judging unit 503 rejects the elliptic 
curve E. 

Thus, an elliptic curve which is not secure is rejected prior 
to the computation of the order of the elliptic curve. As a 
result, time needed for calculating the order of such an 
inappropriate elliptic curve by the elliptic curve order 
computing unit 504 can be saved, with it being possible to reduce 
the overall computational complexity in the elliptic curve 
construction device 500. 

Note that though pi and p2 can take any primes smaller than 
the prime p, it is preferable to set pl=^5 and p2=7 as shown 
above. By such choosing the combination of smallest primes as pi 
and p2, computational complexity of calculating the orders ml and 
m2 becomes the smallest. 

Here, if the prime pi (or the prime p2) is 3, the elliptic 
curve discriminant TD modulo 3 becomes 0, meaning that Epl (or 
Ep2) is not an elliptic curve. Therefore, 3 should not be 
assigned to pi (or p2) . 

(1.6. Elliptic Curve Order Computing Unit 504) 

The elliptic curve order computing unit 504 calculates the 
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order of the elliptic curve E on the finite field GF(p) in the 
following manner. 

(1.6.1. Calculation of the Order due to the SEA Algorithm) 

The elliptic curve order computing unit 504 employs the SEA 

algorithm to compute the order of the elliptic curve E, 

Let in be the order of the elliptic curve E, and t be such 

that 

m='P'hl-t 
Also, the equation 

f(x)=x ^ S-hax+b 

is given. 

First, the elliptic curve order computing unit 504 sets an 
integer variable L at an initial value 2. 

The elliptic curve order computing unit 504 then counts the 
number of linear factors when factoring a modular polynomial 
<PL(Tfj(E)) in a ring GF(p)[T] of polynomials in a variable T. 

When the number of linear factors is 2, the elliptic curve 
order computing unit 504 solves t mod L, and further solves t mod 
L *n according to the isogeny cycle algorithm. 

When the number of linear factors is 1 or L-hl, the elliptic 
curve order computing unit 504 solves t mod L, and checks whether 
the isogeny cycle algorithm is applicable. If the isogeny cycle 
algorithm is applicable, the elliptic curve order computing unit 
504 solves t mod L^n {n=2^ 3, .-.) by the isogeny cycle 
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algorithm. 

When, on the other hand, the number of linear factors is 0, 
the elliptic curve order computing unit 504 narrows down possible 
values of t mod L from the set fO, I, ... ^ L-1] . 

Next, the elliptic curve order computing unit 504 increases 
L to the next prime if 

LI ^ (nl) xL2 ^ (n2) x . , . xLk ^ (nk) <4xp (1/2) 
(where LI, L2f ... , and Lk are primes and 
Lk=L) 

and repeats the counting of the number of linear factors and 
the process which follows depending on the number of linear 
factors, until the above conditional expression is unmet. 

If the conditional expression is unmet, the elliptic curve 
order computing unit 504 determines the order m according to the 
match Sl sort algorithm and writes the determined order m into the 
information storing unit 507. 

This order computation algorithm is detailed in R. Lercier 
& F. Morain "Counting the Number of Points on Elliptic Curves 
over Finite Fields: Strategies Performances" EUROCRYPT' 95, 
pp.79~94, Springer-Verlag (1995). 

Also, the match & sort algorithm is explained in detail in 
"Algorithmique des Courbes Elliptiques dans les Corps Finis" 
Thesis, Ecole Polytechnique-LIX (1997), pp. 195-^202 and "Elliptic 
Curves in Cryptography" London Mathematical Society^ Lecture Note 
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Series 265, Cambridge University Press (1999), pp.l42~144. 
(1.6.2. Supplemental Remarks on the Order Computation by the SEA 
Algorithm) 

The computation of the elliptic curve order m by the SEA 
algorithm is elaborated below. The elliptic curve order 
computing unit 504 performs the following calculations. 

Let 

E: y 2=f(x) 

be the elliptic curve over GF(p) where f(x)^x 
(1) Characteristic Equation 
(1-1) Algebraic Closure K of GF(p) 

K denotes the algebraic closure of GF(p) . The algebraic 
closure i<' is a field containing GF(p) . Any polynomial having 
coefficients of K can be decomposed into linear expressions. 

Another example of the algebraic closure is a complex number 
field that is an algebraic closure of a real number field. Any 
polynomial having coefficients of a complex number field can be 
decomposed into linear expressions. 
(1-2) Frobenius Map 0p 

For a point P=(arP) (where a^peK) on the elliptic curve E, 
the Frobenius map (pp is defined as follows: 

(pp: (arfi)^(a ^pr /3 "p) 

Since (ar/3) is a point on E, 
P ^ 2=a ^ 3-haa-hh 
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Raising both sides of this equation to the pth power 
yields 

(3 * (2p) = (a '^p 
the right side of which can be developed to 

(or J-haa-hb) ^p-a " (3p) -ha ^p*ct '^p-hb *p 
=a ^ (3p) -ha ^ p+b 
in accordance with p. 193 in Y. Morita Introduction to 
Algebra, Mathematics Selection 9, Shokabo (1987) . Here, a and jb 
are elements of GF(p), so that a=a *p and Jb=^jb ^p. 
Hence 

(p ^p) ^2= (a ^p) ^S-ha (a ^p) -fb 
Therefore, (a ^Pfj3 '^p) is a point on the elliptic curve E, 

too. 

(1-3) Characteristic Polynomial 

"According to p. 485 in R. Schoof "Elliptic Curves over Finite 
Fields and the Computation of Square Roots mod p" Mathematics of 
Computation vol.44, no. 170 (1985) (hereinafter "document 4"), an 
equation 

(0p) ^2(P)-t0p(P)-hpP^O 
holds for a point F-{a,P) (arfieK) on the elliptic curve E, 
where O is a zero element of the group of the elliptic curve E, 
t is the trace of the Frobenius map, and the signs + and - 
respectively denote addition and subtraction on the elliptic 
curve E. 
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The elliptic curve order m can be deduced from t by an 
equation 

m=p-hl-t 

in accordance with Hasse's theorem. That is to say, 
acquiring the trace t allows the order m of the elliptic curve E 
to be computed. 

Suppose the point P is an L-division point on E {La prime) , 
i.e. P satisfies LP=0. Then an equation 

((pp) ^2(P)"(t mod L) (pp(P)-h (p mod L) P=0 

holds . 

The SEA algorithm computes t mod L from this equation. Here, 
when <pp has an eigenvalue k, it means that 

0p (P) =kP 

holds for the L-division point P on E, where kP is an 
exponentiation point of P. 

This being so, the characteristic polynomial of 0p is 
(k ^2)P-(t mod L)kP-h(p mod L) P=0 

Therefore, when the eigenvalue k exists, the characteristic 
polynomial of 0p is assumed to be a quadratic equation in the 
variable k in the form 

k ^2'(t mod L)k+(p mod L)=0 

The SEA algorithm makes the following distinction depending 
on whether the quadratic equation has a root on GF(L) . 

(Case 1) when the quadratic equation has different roots kl 
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and k2 

(Case 2) when the quadratic equation has a multiple root 
(Case 3) when the quadratic equation has no root 
The following procedures are carried out for Cases 1~3, 
respectively. 

When the quadratic equation bears two different roots kl and 
k2 (Case 1), 

k ^2-(t mod L)k-h(p mod L) = (k-kl) (k-k2) 

i.e. 

kl+k2=t mod L 
kl *k2^p mod L 

Accordingly, if kl is found, then t can be deduced from 

t^kl-hp/kl^(kl ^2'hp)/kl mod L 
When the quadratic equation bears a multiple root (Case 2), 

kl ^ 2=p mod L 

Accordingly, k takes one of ±V~ (p) mod L. The value of k can 
be specified by testing whether 

4>pP=±(V (p) mod L)P 

is true. 

Depending on the eigenvalue of 0p, t takes one of ±2-/" (p) mod 
L. , ' 

When, on the other hand, the quadratic equation has no root 
(Case 3), the coordinates of ( (0p) ^2-h(p mod L))P and the 
coordinates of (f mod L) 0pP are compared, and t' that matches is 
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set to be exact t mod L. 
(1-4) Distinction 

Since t mod L is unknown, generally it is impossible to 
determine which of Cases 1~3 applies. 

However, this can be done by referencing the number of roots 
of a polynomial called a modular polynomial on GF(p) . 

When the number of roots of the modular polynomial 0L (T^j (E) ) 
on GF(p) is 2, Case 1 applies. When the number of roots is I or 
L-hl, Case 2 applies. When the number of roots is 0, Case 3 
applies . 

For more detail, see document 3, p. 239. 
(1-5) Solution of the Characteristic Equation in Case 3 

In Case 3, the characteristic equation is solved in the 
following fashion . 

fL(a) denotes an -L-di vision polynomial that has, as roots, 
X coordinates of all L-division points P on E, i.e. P satisfying 
LP=0. Here, ^^P=(a,fi) is an L-division point" is equivalent to 

fL(a) is deduced through the use of recursive formulas. For 
more details, see document 4, p. 485. 

(1^6) Polynomial Representation of the Characteristic Equation 
From the characteristic equation, 

(<pp) ''2(P)'h(p mod L)P=(t mod L) 0pP 

(equation 1) 
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is found to be true. Let (a^P) be the coordinates of the 
point P. Since the point P(a^P) is a point on the elliptic curve 
E, it satisfies 

^2 -a ^3-aa-h=-0 

Also, since Pfct^jS) is an L-division point, it satisfies 
fL (a) =0 

Let the coordinates of the point P in equation 1 be expressed 
on a residue class ring 

R^GF(p) [a,j8}/(jB ^ (a) ) 

of polynomials in variables a and /0. 

Computations on the polynomial residue class ring R are 
performed by substituting a ^ S+aa-hb for P 2 and 0 for fL(a) , 

In the following description, "in -R" represents an operation 
in the polynomial residue class ring R. 
According to equation 1 

(a ^ (p ^2; ,/? ^ (p ^2) ) -h (p mod L) (a,p) 
= (t mod L) (a ^Pfj3 ^p) in R (equation 2) 

holds. 

(1-7) Solution of the Characteristic Equation in Case 1 

In Case 1, the characteristic equation is solved in the 
following way. 

k such that 0pP=kP is sought using a factor h (a) of the L- 
division polynomial fL(a) . That is, fL(a) is divisible by h(a). 
The solution for h(a) is given in document 3, pp.242~253. 
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(1-8) Solution of the Characteristic Equation in Case 2 

In Case 2, the characteristic equation is solved in the 
following way. 

Since it is already known that /r^irVp, the y coordinates are 
compared to specify the sign. 

It is to be noted that since computational complexity in Case 
3 is large as compared with Case 1 or Case 2, t mod L is not 
calculated in Case 3. Instead, the operation of narrowing down 
possible values of t mod L is conducted. By doing so, the 
computational complexity in Case 3 becomes roughly equal to 
computational complexity in Case 1 or Case 2. 

As an exception, exact t mod L is computed for small L (such 
that L^5) , on the ground that the computational complexity in 
such a case is relatively small. 

Obtaining possible values of t mod L is detailed in document 
3, pp.239~241. 

(1.6.3. Calculation of t mod L *n) 

The elliptic curve order computing unit 504 calculates t mod 
L as follows. 
(1) Calculation of t mod L 

The elliptic curve order computing unit 504 receives h(ct) as 
an input, calculates t mod L as follows, and outputs t mod i. 

Let the polynomial residue class ring R be defined as 
R=^GF(p) [ctrj3]/(0 ^ 3-aa-brh(a) ) 
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To obtain t mod L, it is necessary to find k such that 
0p((a,J3))=k(arJ3) in R 

The elliptic curve order computing unit 504 assigns the 
values 0^ (L-1) /2 to ic' in sequence, computes the x coordinate of 
<Pp((ct,/3)) in R and the x coordinate of k' in R, and compares 

the X coordinate of 0p ( (ct^jS) ) in R and the x coordinate of 
k' (ctr0) in R. When the two x coordinates match for the first 
time, the elliptic curve order computing unit 504 computes the y 
coordinate of 0p( (a,(3) ) in R and the y coordinate of k' (a^fi) in 
R. If the y coordinate of <pp((a,P)) in R and the y coordinate of 
k' (a^jB) in R match, the elliptic curve order computing unit 504 
sets k=k' mod L, while if the two y coordinates do not match, the 
elliptic curve order computing unit 504 sets k=L-k' mod L. 

The elliptic curve order computing unit 504 then determines 
t=(k ^2'hp)/k mod L and outputs t. 

(2) Calculation of t mod L according to the Isogeny Cycle 
Algorithm 

The elliptic curve order computing unit 504 finds t mod L 
using the isogeny cycle algorithm. 

In Case 1, the elliptic curve order computing unit 504 first 
sets n=2, calculates a polynomial H(a) based on k mod L and h(a), 
and interprets H(a) as h(a). The elliptic curve order computing 
unit 504 then uses the polynomial h (a) to compute k mod L and 
decides based on the degree of the polynomial h (a) whether to 
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proceed to the next step. When the degree of h(a) is denoted by 
deg(h (a) ) , then it is judged whether 

(deg(h) ^ 2) *L ^ 2 ^ (L ^ (2 *n) ) >(\p\) ^3/135 
where |p| represents the number of bits of p. If this 
inequality is true^ the elliptic curve order computing unit 504 
defines 

t=(k ^2-hp)/k mod L *n 

and completes the isogeny cycle. If the inequality is false, 
the elliptic curve order computing unit 504 adds 1 to n and 
repeats the above procedure until the inequality is satisfied. 
As a result, t mod L ^n is obtained. 

Although the same computation as in Case 1 is performed in 
Case 2, in Case 2 the isogeny cycle algorithm might not be 
applicable. Accordingly, the elliptic curve order computing unit 
504 tests whether the isogeny cycle algorithm is applicable 
before computing t mod L n. 

On the other hand, k mod L (where n>l) is computed as 
follows. 

Suppose k i==k mod L *i {l^t^n) . The elliptic curve order 

computing unit 504 receives k mod L ^ (n-1) and h(a) as inputs and 
calculates k mod L in the following way. 

Let the polynomial residue class ring be defined as 
R=GF(p) [arp]/ (fi ^2-a S-aa-b^h (a) ) 

To obtain k mod L ^n, it is necessary to find k such that 
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0p((ar/3)) = (k_(n-l)^L (n-1) *k) (a,/3) in R 
Assigning the values 0^(L-l)/2 to k' in sequence, the 
elliptic curve order computing unit 504 calculates the x 

coordinate of (pp((ct,P)) in R and the x coordinate of (k (n-D-h 

L * (n-1) ) (or^/B) in R, and compares the x coordinate of 

0p((ar(3)) in R and the x coordinate of (k (n-lJ-f-L ' (n-1) ^k' ) (a^jB) 

in R. When the x coordinates match for the first time, the 
elliptic curve order computing unit 504 defines 

k n=k (n-l)-hL ^ (n-1) *k' mod L *n 

and sets k n as k mod L 

The above described processing is detailed in J. M, 
Couveignes, L. Dewaghe, and F. Morain "Isogeny Cycles and the 
Schoof-Elkies-Atkin Algorithm" LIX/RR/96/03 (1996) . 
(1.6.4. Judgement on the Elliptic Curve E by the Elliptic Curve 
Order Computing Unit 504) 

As mentioned above, when JjLk ^ (nk) exceeds 4Vp, the elliptic 
curve order computing unit 504 judges that the computation by the 
SEA algorithm has been completed, determines the elliptic curve 
order m, and ends the processing thereof. 

Here, to shorten computation time, the elliptic curve order 
computing unit 504 tests the elliptic curve E and rejects such E 
that is to be judged as not being secure by the elliptic curve 
condition judging unit 505, thereby halting the order computation 
in progress. 



46 



More specifically, once t mod L has been determined, the 
elliptic curve order computing unit 504 calculates p+l-t mod- L 
and checks whether p-i-l-t mod L is 0. If p-^l-t mod L is 0, it 
signifies the order of the elliptic curve E cannot be prime. 
Accordingly, the elliptic curve order computing unit 504 outputs 
elliptic curve rejection information to the controlling unit 506 
to reject the elliptic curve E, and discontinues the order 
computation. 

By such rejecting an elliptic curve which is not secure once 
t mod L has been determined, the elliptic curve order computing 
unit 504 can avoid needless computations. 

For this processing, see document 1. 
(1.6,5. Elliptic Curve Exponentiation) 

As described once, elliptic curve exponentiation needs to be 
performed to gain the eigenvalue of <pp. Algorithms of computing 
elliptic curve exponentiation points are presented below. 
(1) Method using a Division Polynomial 

The elliptic curve order computing unit 504 obtains an 
exponentiation point in the above computation of t mod L, in the 
following way. 

When using the division polynomial f n, 

n (a, (3) - (a-f_ (n-l) (a) *f_ (n-hl) (a) 
/(f—n(a) ^2*f(a)), 

(i(f—in+2) (a) *f_(n-l) (a) ^2-f_(n-2) (a) 
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(n-hl) (a) 2) / (4 *f_n (a) 3) ) 

if n is even, or 

n (a, (3) = (a-f_ (n-1) (a) (n-hl) (a) 
*f(a)/f_n(a) ^2, 

P(f_ (n-h2) (a) *f_ (n-1) (a) ^ 2-f_ (n-2) (a) 
*f_ (n^l) (a) ^2) / (4 ^/3*f (a) *f_n (a) ^3)) 

if n is odd. 

This is described in detail in document 4, pp. 485'***486. 
(2) Method using the Elliptic Curve Arithmetic Operation over the 
Polynomial Residue Class Ring R 

The elliptic curve order computing unit 504 finds an 
exponentiation point in the computation of t mod L as 
follows . 

The use of the above division polynomial in computing t mod 
L ^ h causes inefficiency, since it requires calculation of such 

an unnecessary division polynomial f (L (n-2) ) from f 1. 

Accordingly, the elliptic curve order computing unit 504 computes 
exponentiation points by elliptic curve arithmetic operations 
described below. 

Consider an elliptic curve arithmetic operation over a finite 
field. When a 2-tuple coordinate is used, it is necessary to 
perform divisions. However, a division over a finite field 
normally requires an average of 10 times as much computational 
complexity as a multiplication over the finite field, so that a 
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3-tuple coordinate which does not require divisions is adopted 
instead. The same applies for elliptic curve arithmetic 
operations over a polynomial residue class ring. 

In the following^ the first and second components of the 2- 
tuple coordinate are respectively called x coordinate and y 
coordinate, whereas the first, second, and third components of 
the 3-tuple coordinate are respectively called X coordinate, Y 
coordinate, and Z coordinate. 

Here, Jacobian coordinate over a finite field is employed. 
Since computation is easier if the input and the output are of 
the same form, the coordinates of a point on an elliptic curve 
over the polynomial residue class ring R are expressed as 

(X(a) :j8^Y(a) :Z(ct)) 
which represents the form of the input and the output. 
Then, this form of the input and the output is altered in the 
Jacobian coordinate through transformation 

(X' (a) :/S*Y' (a) :Z' (a)) 
^(f3 *2^X' (a) :0 ^4*Y' (a) tfi^Z' (a)) 
Here, ^ 2=f (a) . Therefore, provided that 
X(ct)=f(a) ^X' (a) 
Y(a)=f(a) '^2^Y' (a) 
Z (a) ^Z ' (a) 

then the transformed point takes the form 
(X(a) :Y(a) :J3*Z(a)) 
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(2-1) Projection of Elliptic Curve Points 

The elliptic curve order computing unit 504 transforms the 
affine coordinates (0 (a) fl3^(p (a) ) of a point on the elliptic curve 
E using polynomials 

X(a)='f(a) ^<p(a) 

Y(a)=^f(a) '^2^<p(a) 

Z (a) -I 

to generate the projective coordinates (X (a) :Y (a) : P^Z (a) ) , 
where 0(a) and <p(a) are polynomials ♦ 
(2-2) Addition and Doubling on the Elliptic Curve E 

For points on the elliptic curve E defined over the 
polynomial residue class ring R, an elliptic curve arithmetic 
operation is performed as follows. 

Elliptic curve exponentiation can be split into additions and 
doublings. As an example, for a point P on the elliptic curve E, 
calculating 100 is achieved through 6 doublings and 2 additions 
of points on E, as can be seen from 

100 ^P=2 (2 (P+2 (2 (2 (P+2P) )))) 

Splitting elliptic curve exponentiation into doublings and 
additions is done by a signed binary window method which is 
described in pp. 345*^357 in K. Koyama & Y. Tsuruoka "Speeding up 
Elliptic Cryptosystems by Using a Signed Binary Window Method" 
Advances in Cryptology - CRYPTO' 92 , Lecture Notes in Computer 
Science vol.740, Springer-Verlag (1993) . 
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For the input of the coordinates of at least one point on the 
elliptic curve 

E: y ^2='f(x) 

on the residue class ring R of polynomials in variables a and 
0 with one or more elements of the finite field GF(p) as 
coefficients^ the moduli of the ring R being polynomials J3 
2-f (a) and h (or) , the elliptic curve order computing unit 504 
performs an elliptic curve arithmetic operation to compute the 
coordinates of a point on the elliptic curve E. 
(2-2-1) Addition 

Elliptic curve addition is carried out as follows. 
For the input of points P and Q {P^±Q) 
P= (XI (a) : Yl (a) :/3xZl (a) ) 
Q= (X2 (a) : Y2 (a) :/3xZ2 (a) ) 
on the elliptic curve E, the elliptic curve order computing 
unit 504 calculates 

U1=X1 xZ2 ^2^X1 *Z2 *Z2 
U2=X2xZl ^2'=X2^Z1*Z1 
Sl=YlxZ2 ^3=Y1^Z2^(Z2 ^2) 
S2=Y2xZl ^ 3=Y2*Z1*(Z1 ^2) 
H--U2-U1 
r^S2-Sl 
and calculates 

X3=-H '^3'2xUlxH '^2+r ^2 
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Y3=-S1 xif (Ul xif ^2-X3) 

=-Sl*H ^3-hr*(Ul^H ^2''X3) 
Z3=Z1*Z2*H 

The elliptic curve order computing unit 504 then computes 
0xZ3 

and thereby obtains 

P+e= (X3 (a) : Y3 (a) :p^Z3 (a) ) 
as the outcome of adding the points P and Q on the elliptic 
curve E. 

Note here that^ though XI, Yl, Zl, X2, Y2, Z2, X3, Y3, Z3, 
Ul, U2, SI, S2, H, and r are polynomials in the variable a and 
therefore should be written like XI (a) , Yl (a) , and Zl (a) to be 
precise, (a) has been omitted for convenience in writing. 
(2-2-2) Doubling 

Elliptic curve doubling is carried out as follows. 
For the input of the point P 

(XI (a) : Yl (a) :/3xZl (a) ) 
on the elliptic curve E, the elliptic curve order computing 
unit 504 calculates 

S=^4xXl xYl ^ 2^-4^X1 *Y1*Y1 
M=3xXl ^2H-axZl ^4xf(a) *2 

--3xXl*Xl-hax ( (Z1*Z1) *f(a)) *(Z1 ''2xf(a)) 
T=-2xS'hM*M 
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and calculates 

Y3=-8xYl ^ 4'hMx (S-T) 

=''8x(Yl ^2)*(Y1 ^2)'hM*(S'-T) 
Z3^2>(Y1 *Z1 

The elliptic curve order computing unit 504 then computes 

and so obtains 

2P= (X3 (a) : Y3 (a) :0^Z3 (a) ) 
as the outcome of doubling the point P on the elliptic curve 

E. 

Note once again that, though XI, Yl, Zl, X3, Y3, Z3, S, M, 
and T are polynomials in the variable a and therefore should be 
written like XI (a) , Yl (a) , and Zl (a) to be precise, (a) has been 
omitted for convenience in writing. 

The numbers of multiplications performed in the above 
addition formula and doubling formula are respectively 16 and 10, 
as can be seen from the number of operators ^ in each of the 
formulas. When computational complexity of a polynomial 
multiplication is measured as l^PMul, computational complexity of 
the addition is 16^PMul and computational complexity of the 
doubling is lO^PMul* 

When compared with prior art example 3, the computational 
complexity of the addition is IxPMul larger than that of the 
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addition in example 3, whereas the computational complexity of 
the doubling is 2^PMul smaller than that of the doubling in 
example 3. 

In general, doubling is more frequently repeated than 
addition, so that the decrease in computational complexity of the 
doubling greatly benefits a reduction in overall computational 
complexity. 

(2-3) Deduction of the Addition Formula and the Doubling Formula 
The following is an explanation on how the above addition 
formula and doubling formula are deduced. 

Addition and doubling for the elliptic curve E over a finite 
field in the Jacobian coordinate are as follows. Here, 
P=(xl:yl:zl) , Q= (x2 : y2 : z2) , and P'i'Q=R= (x3 :y3 : z3) . 
(Addition) (where P^±Q) 

x3=-H ^3-2^Ul*H ^2'hr ^2 

y3=-Sl^H 3'hr^(Ul*H ^ 2-x3) 

z3-^zl *z2*H 

where 

Vl-=xl*z2 ^2 
U2=x2*zl *2 
Sl=yl*z2 "3 
S2^y2*zl ^3 
H^U2-U1 
r=S2-Sl 
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(Doubling) (where P=Q) 

x3=T 

z3=2*yl *zl 

where 

S^4*k1 *yl *2 
M^3*xl *4 
T=-2^S-hM ^2 

These addition and doubling are then applied onto the 
polynomial residue class ring R. 

Here, P== (XI (a) : Yl (a) : JB^ZI (a) ) , Q= (X2 (a) : Y2 (a) : 0^Z2 (a) ) , and 
P-hQ=R= (X3 (a) : Y3 (a) :I5*Z3 (a) ) . 

Also, 

xl=Xl (a) , yl=Yl (a) , zl--l3*Zl (a) 
x2=-X2 (a) , y2=Y2 (a) , z2=(3*Z2 (a) 
x3=X3 (a) , y3-y3 (a) , z3=p*Z3 (a) 

are given. 

(Addition for the Elliptic Curve E on the Polynomial Residue 
Class Ring R in Jacobian Coordinate) 

Addition for the elliptic curve E on the polynomial residue 
class ring R in the Jacobian coordinate is the following: 

U1=X1*J3 ^2*Z2 ^2 

U2^X2*P '^2*Z1 ^2 

S1=Y1*P '^3*Z2 ^3 
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S2=Y2*/3 ~ 3*Z1 3 
Let Ul'^Ul//3^2, U2'=U2/0'2, Sl'=Sl/p'3, and S2'=S2/I3'3. 

Then 

H=(U2'-U1 ') *0 '2 
5 r^(S2'-Sl ') *0 ~3 

Here, let H'=H/p'2 and r'=r/p'3 Then 

x3=-H' "3*^ ''6-2*Ul'*l3 '2*H' ~2*fi '4 
+r' "2* ((3 '3) '2 
Here, let x3'=x3/j5 '6. Then 
10 x3'='-H' ' 3-2*Ul' *H' '2+r' '2 

y3=-Sl'*(3 '3*H' '3*/3 '6 

+r'*0 ~3*(U1'*J3 '2*H' "2*0 "4-x3'*l3 '6) 
Here, let y3'=y3//3 ' 9. Then 

y3'=-Sl' *H' " 3+r' *(U1' *H' ~2-x3') 
15 23=22 *IB *Z2 *0*H' */3 '2 

Here, let z3'=z3/0'4. Then 
X3=x3 ' */3 "6 
Y3=y3' *0 '9 
/3*Z3='z3' */3 ~ 4 
20 Accordingly, 

(X3 : Y3 : (3 *Z3) = (X3//3 ' 6 : Y3/(3 " 5 : /? *Z3/P ' 4) 

so that 

(X3: Y3:P*Z3) = (x3 ' :y3 ' :P*z3 ') 
This being so, setting x3' , y3\ z3', Ul' , U2 ' , SI', S2', H', 
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and r' respectively as X3, Y3, Z3, Ul, U2, SI, S2, H, and r 
yields the addition formula of the invention. 

(Doubling for the Elliptic Curve E on the Polynomial Residue 
Class Ring R in Jacobian Coordinate) 

Doubling for the elliptic curve E on the polynomial residue 
class ring R in the Jacobian coordinate is thf^ following: 

S=4*X1^Y1 *2 
M=-3^X1 ^2'ha*Zl '^4^/3^4 
Since 0 ^ 2^f (a) , 

M=3*X1 ^2-ha^Zl ^4*f(a) 2 

and 

y3='-8^Yl ^4'hM*(S-T) 
z3=2 *Y1 *Z1 

From X3=x3, Y3^y3, and Z3--z3/ 0=2*Y1*Z1, the doubling formula 
of the invention is deduced. 

(1.7. Elliptic Curve Condition Judging Unit 505) 

The elliptic curve condition judging unit 505 reads the prime 
p and the order m from the information storing unit 507 and 
judges whether the order m is a prime and whether m^p. The 
elliptic curve condition judging unit 505 then outputs security 
judgement information showing whether in is a prime not equal to 
Pf to the controlling unit 506. 
(1.8. Controlling Unit 506) 



57 



The controlling unit 506 receives the prime p and the 
instruction to construct an elliptic curve, from the inputting 
unit 508- 

On receiving the instruction, the controlling unit 506 writes 
the prime p into the information storing unit 507 and instructs 
the random number generating unit 501 to generate a random 
number. 

The controlling unit 506 then controls the random number 
generating unit 501, the elliptic curve setting unit 502, the 
elliptic curve finitude judging unit 503, the elliptic curve 
order computing unit 504, and the elliptic curve condition 
judging unit 505 to sequentially execute their respective 
procedures . 

Also, the controlling unit 50 6 receives the order judgement 
information from the elliptic curve finitude judging unit 503. 
If the received information shows that the order ml and the order 
m2 are relatively prime, the controlling unit 506 has the 
elliptic curve order computing unit 504 commence the processing 
thereof. If the information shows that ml and m2 are not 
relatively prime, the controlling unit 506 cancels the processing 
of the elliptic curve order computing unit 504 and instead 
instructs the random number generating unit 501 to generate a 
random number. 

Also, when receiving the elliptic curve rejection information 
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from the elliptic curve order computing unit 504^ the controlling 
unit 506 cancels the processing of the elliptic curve condition 
judging unit 505 and instead instructs the random number 
generating unit 501 to generate a random number. 

Also^ the controlling unit 506 receives the security 
judgement information from the elliptic curve condition judginrj 
unit 505. If the received information shows that the order in is 
a prime not equal to the prime p, the controlling unit 506 reads 
the parameters a and b from the information storing unit 507 and 
passes the read parameters a and Jb to the outputting unit 509. 
If the read information does not show that in is a prime not equal 
to p, the controlling unit 506 controls the random number 
generating unit 501 to generate a random number. 
(1.9. Outputting Unit 509) 

The outputting unit 509 receives the parameters a and b from 
the controlling unit 506 and writes the parameters a and b into 
the parameter storing unit 510. 
(1.10. Parameter Storing Unit 510) 

The parameter storing unit 510 is implemented by the hard 
disk 14 and stores the parameters a and Jb. 

(2. Operation of the Elliptic Curve Construction Device 500) 

The following is an explanation of the operation of the 
elliptic curve construction device 500. 

(2.1. General Operation of the Elliptic Curve Construction Device 
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500) 

The general operation of the elliptic curve construction 
device 500 is explained below with reference to Fig. 7* 

The inputting unit 508 receives from the user a prime p and 
an instruction to construct an elliptic curve E, and passes the 
prime p and the instruction to the controlling unit 506 (SlOO) . 

The controlling unit 506 instructs the random number 
generating unit 501 to generate a random number, and the random 
number generating unit 501 accordingly generates a random number 
t and writes the random number t into the information storing 
unit 507 (SlOl) . 

The elliptic curve setting unit 502 reads the random number 
t from the information storing unit 507 and sets -3 and t 
respectively as parameters a and b of the elliptic curve E 
(S102) . 

The elliptic curve finitude judging unit 503 chooses primes 
pi and p2, calculates the orders ml and m2 of respective elliptic 
curves Epl and Ep2 produced by reducing the elliptic curve E on 
a rational number field modulo pi and p2 (S103), and checks 
whether ml and m2 are relatively prime (S104) . If ml and m2 are 
not relatively prime, the operation returns to step SlOl under 
the control of the controlling unit 506. 

If nil and m2 are relatively prime, the controlling unit 506 
instructs the elliptic curve order computing unit 504 to compute 
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the order m of the elliptic curve E, and the elliptic curve order 
computing unit 504 accordingly computes the order m using the SEA 
algorithm (3105) . 

If the controlling unit 506 receives elliptic curve rejection 
information (S106) , the operation returns to step SlOl. 

If the controlling unit 506 does not receive the elliptic 
curve rejection information, the elliptic curve condition judging 
unit 505 judges whether the order m of the elliptic curve £ is a 
prime not equal to the prime p (S107) . When in is a prime and 
m9^Pf the controlling unit 506 instructs the outputting unit 509 
to output the parameters a and bf and the outputting unit 509 
accordingly outputs the parameters a and b (S108) . 

When it is not judged in step S107 that the order jn is a 
prime not equal to p, the operation returns to step SlOl. 
(2-2, Operation of the Elliptic Curve Order Computing Unit 504) 

The operation of the elliptic curve order computing unit 504 
is explained below with reference to Fig, 8. 

Let m be the order of the elliptic curve E and t be such that 
m=-p-fl-t 

Also, let 

f(x)^x ^S-hax-tb 

The elliptic curve order computing unit 504 sets an integer 
variable L at an initial value 2 (5910) . 

The elliptic curve order computing unit 504 then calculates 
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the number of linear factors after factoring a modular polynomial 
<PL(Trj(E)) in a ring GF(p) [T] of polynomials in a variable T 
(S911) . 

When the number of linear factors is 2 (S912) / the elliptic 
curve order computing unit 504 solves t mod L (S913) and solves 
t mod L n {n=2^ 3, •-.) according to the isogeny cycle algorithm 
(S914) . 

When the number of linear factors is 1 or L-hl (3912) , the 
elliptic curve order computing unit 504 solves t mod L (S915) and 
judges whether the isogeny cycle algorithm is applicable (S916) - 
If the isogeny cycle algorithm is applicable, the elliptic curve 
order computing unit 504 computes t mod L^n {n=2^ 3, •.•) 
according to the isogeny cycle algorithm (S917) • 

When the number of linear factors is 0 (S912), on the other 
hand, the elliptic curve order computing unit 504 narrows down 
possible values of t mod L from the set /"O, 1^ , L-1] 

(S918) . 

Next, if 

LI (nl) xL2 ^ (n2) x \ . . xLk ^ (nk) <4xp ^ (1/2) 

(where LI, L2, ... , and Lk are primes and 
Lk=L) 

is satisfied (S919) , the elliptic curve order computing unit 
504 increases L to the next prime (S921) and returns to step 
S911. 



62 



If the inequality in step S919 is not satisfied, the elliptic 
curve order computing unit 504 determines the order m according 
to the match & sort algorithm and writes the order m into the 
information storing unit 507 (S920) . 

(2.3. Operation of Computing t mod L *n by the Elliptic Curve 
Order Computing Unit 504) 

The operation of computing t mod L by the elliptic curve 
order computing unit 504 is explained below with reference to 
Fig. 9. 

In Case 1, the elliptic curve order computing unit 504 first 
sets n=2 (S131) , computes a polynomial H(a) based on k mod L and 
h(a) (S132), and assigns the outcome to h(a) (S133) . The 
elliptic curve order computing unit 504 then computes k mod L ^ n 
using the polynomial h(a) (S134) and decides based on the degree 
of the polynomial h(a) whether to proceed to the next step. 
Assuming that the degree of h(a) is denoted by deg(h(a))f it is 
judged whether 

(deg(h) ^ 2) *L ^ 2 ^ (L ' (2 *n) ) > (\p\) ^3/135 
where |p| represents the number of bits of p (S135) . If this 
inequality is true, the elliptic curve order computing unit 504 
defines 

t=(k 2-hp) /k mod L 
(S137) and completes the isogeny cycle. If the inequality 
is false, the elliptic curve order computing unit 504 adds 1 to 
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n (S136) and repeats steps S132 — S135 until the inequality is 
satisfied. 

As a result, t mod L is obtained. 

Although the same computation as in Case 1 is carried out in 
Case 2, in Case 2 the isogeny cycle algorithm might not be 
applicable. Therefore, in Case 2 the elliptic curve order 
computing unit 504 tests whether the isogeny cycle algorithm is 
applicable prior to the computation of t mod L (see Fig. 8) . 
(2.4. Doubling or Addition of Points on the Elliptic Curve E by 
the Elliptic Curve Order Computing Unit 504) 

To compute an exponentiation point kP on the elliptic curve 
E, the elliptic curve order computing unit 504 first splits the 
computation of kP into doublings and additions on the elliptic 
curve E, and performs the doublings and the additions in 
accordance with the procedure given below. Here, the type of the 
arithmetic operation (i.e. doubling or addition) to be performed 
and the affine coordinates of one or two elliptic curve points 
which are subjected to the arithmetic operation are given in 
advance of the procedure. By repeating the following procedure 
for all of the doublings and additions, the exponentiation point 
kP is obtained. 

The elliptic curve arithmetic operation on the elliptic curve 
E by the elliptic curve order computing unit 504 is explained 
below with reference to Fig. 10- 
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The elliptic curve order computing unit 504 performs a 
doubling or an addition on the elliptic curve E: y ^ 2^f (x) over 
the residue class ring, modulo polynomials J3 2-f (a) and h (a) , of 
polynomials in two variables and /? (where f (a) =a ^ S-haa-hb, a and 
b are constants, and h(a) is a polynomial in the variable and a), 
in the following way. ' 

The elliptic curve order computing unit 504 receives 
operation information indicating addition and the affine 
coordinates of two different points on the elliptic curve E which 
are subjected to the addition, or receives operation information 
indicating doubling and the affine coordinates of a single point 
on the elliptic curve E which is subjected to the doubling. Let 

(XI (a) ,/3^Yl(a)) 

(X2(a) rl3^Y2(a)) 

be the affine coordinates of the two different points on the 
elliptic curve E, and 

(Xl(a) ,/3xYl(a)) 

be the affine coordinates of the single point on the elliptic 
curve E (S121) . 

The elliptic curve order computing unit 504 transforms the 
received affine coordinates into projective coordinates. The 
transformation is carried out by converting the affine 
coordinates ((p (a) ^ px(p (a) ) {0(a) and <p(a) polynomials) of some 
point on the elliptic curve E using polynomials 
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X(a)=f(ct) x0(a) 
Y(a)'=f(a) '2yi<p(a) 
Z (a) =1 

and so generating the projective coordinates (X(a) :Y(of) :Px 
Z(a)). In the present example, the affine coordinates of the two 
different points are transformed into the projective 
coordinates 

(XI (a) : Yl (a) zpxZl (a) ) 
(X2 (a) : Y2 (a) :fiy-Z2 (a) ) 
and the affine coordinates of the single point are 
transformed into the projective coordinates 

(XI (a) : Yl (a) :/3yZl (a) ) 

(S122) . 

The elliptic curve order computing unit 504 then checks 
whether the received operation information indicates addition or 
doubling (S123) .. If addition is indicated, the elliptic curve 
order computing unit 504 computes 

Ul (a) =X1 (a) >^Z2 (a) '2 

U2 (a) =X2 (a) y-Zl (a) '2 

51 (a) =Y1 (a) y^Z2 (a) '3 

52 (a) =Y2 (a) yZl (ce) '3 
H(a)=U2(a) -Ul (a) 

r (a) =S2 (a) -SI (a) 
(S124) and computes 
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X3 (a) (oc) 3-2 x Ul (a) (a) 2+r (a) 2 
Y3 (a) -'-SI (a) xff (a) * 3 

+r (a) X (Ul (a) xH (a) ' 2-X3 (a) ) 
Z3 (a) =Z1 (a) xZ2 (a) xH(a) 

5 (S125) . 

If, on the other hand, doubling is indicated, the elliptic 
curve order computing unit 504 computes 

S (a) =4 xXI (a) ><Yl(a) "2 
M(a)=3xXl (a) ~2+axZl(a) ~4xf(a) '2 
10 T(a)=-2xS (a)+M(a) '2 

(S126) and computes 

X3(a)=T(a) 

Y3 (a) =-8 X Yl (a) ' 4+M(a) x (s (a) -T (a) ) 
Z3 (a) ''2xYl (a) xzi (a) 

15 (3127). 

Lastly, the elliptic curve order computing unit 504 outputs 
the projective coordinates (X3 (a) : Y3 (a) :/3xZ3 (a) ) (S128 ) . 
(3. Conclusion) 

As described above, the elliptic curve setting unit 502 is 
20 likely to choose a secure elliptic curve beforehand, so that the 

processes of choosing an elliptic curve and testing its security 
do not have to be repeated over and over again. Accordingly, 
overall computational complexity in the elliptic curve 
construction device 500 is reduced. 
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Also, the elliptic curve finitude judging unit 503 assesses 
the security of the elliptic curve by checking whether the 
elliptic curve contains a point with a finite order, prior to the 
computation of the elliptic curve order. Since the elliptic 
curve which is judged as not secure is rejected at this stage, 
unnecessary calculation of the order of such an elliptic curve is 
avoided, with it being possible to reduce the overall 
computational complexity in the elliptic curve construction 
device 500. 

Also, in computation of the exponentiation point kP on the 
elliptic curve by the elliptic curve order computing unit 504, 
doubling is more frequently repeated than addition. In general, 
computational complexity to compute kP according to the signed 
binary window method can be expressed as 

\k\x (ED-i-EA/J) 

where EA denotes the computational complexity of an addition, 
ED denotes the computational complexity of a doubling, and \k\ 
denotes the number of bits of Jr. With the signed binary window 
method, computational complexity for finding kP according to the 
invention is 15 . 3xPMulx\k\ , whereas computational complexity for 
finding kP according to prior art example 3 is 17xPMul^\k\ . As 
a result, the overall computational complexity is further reduced 
according to the invention. 
(4 • Modifications) 
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Although the elliptic curve construction device according to 
the invention has been explained based on the embodiment, the 
invention is not limited to such. For example, the following 
modifications are possible. 

(1) The invention may be an elliptic curve application device 
provided with the elliptic curve construction device described 
above. Examples of such an elliptic curve application device are 
an encrypted communication system made up of an encryption device 
and a decryption device, a digital signature system made up of a 
digital signature device and a signature verification device, and 
an error-correction communication system made up of an error- 
correction code transmission device and an error correction 
device . 

The encrypted communication system uses elliptic curves to 
perform communication without the communicated content being 
revealed to third parties. The digital signature system uses 
elliptic curves to enable the receiver to verify whether the 
communicated content is valid or whether the information is from 
the stated sender. The error-correction communication system 
uses elliptic curves to recover original information from 
information which has been altered or lost while it was being 
transmitted on a communication line. 

(2) Though the elliptic curve setting unit 502 has set the 
parameters a and b of the elliptic curve E: y 2==x ^ 3-hax-hb 
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respectively as a=-3 and b^t, the parameters a and b may instead 
be set in the following fashion. 

The elliptic curve setting unit 502 defines the above shown 
discriminant TD against the elliptic curve E: y ^ 2=x ^ S-hax-hb (a 
and Jb are integers) on the rational number field, and sets the 
parameters a and b such that the probability of the discriminant 
TD having a square factor will end up being lower than a 
predetermined threshold value. As an example, the predetermined 
threshold value is 0.001. By doing so, the chance that a secure 
elliptic curve is formed increases, as explained in the above 
embodiment . 

(3) The invention may be an elliptic curve arithmetic 
operation device for performing elliptic curve arithmetic 
operations for points on the elliptic curve defined over the 
polynomial residue class ring, as embodied by the elliptic curve 
order computing unit 504. 

(4) The invention may be an elliptic curve order computation 
device for computing the order of the elliptic curve, as embodied 
by the elliptic curve order computing unit 504. 

(5) The invention may be an elliptic curve arithmetic 
operation method, an elliptic curve order computation method, or 
an elliptic curve construction method shown in the embodiment - 

Also, the invention may by a computer program that implements 
the elliptic curve arithmetic operation method, the elliptic 
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curve order computation method, or the elliptic curve 
construction method on a computer, or digital signals that 
compose such a computer program. 

Further, the invention may be a computer-readable storage 
medium, such as a floppy disk, a hard disk, a CD-ROM (compact 
disk read only memory) , an MO (magneto-optical disk) , a DVD 
(digital versatile disk) , a DVD-ROM, a DVD-RAM, or a 
semiconductor memory, that stores the computer program or the 
digital signals. Likewise, the invention may be the computer 
program or digital signals stored in such a storage medium. 

The invention can also be realized by transferring the 
computer program or the digital signals via a network such as a 
telecommunication network, a radio or cable communication 
network, or the Internet. 

(6) Various combinations of the embodiment and the 
modifications stated above, as well as combinations of the 
modifications themselves, are possible. 

Although the present invention has been fully described by 
way of examples with reference to the accompanying drawings, it 
is to be noted that various changes and modifications will be 
apparent to those skilled in the art. Therefore, unless such 
changes and modifications depart from the scope of the present 
invention, they should be construed as being included therein. 
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